Embedded Systems Hacking and 
My Plot To Take Over The World 

Version 2.0 



What arc we going to do -tonight, Brain? 



the same thing we 
do every night, Pinky,. 



TRY AND TAKE OVER THE WORLD! 



Paul Asadoorian 

Founder & CEO, PaulDotCom Enterprises 

http : //pauldotcom. com 



»aul@pauldotcom. com 



Who am I? 



I had this really boring slide about who I am 

Then I realized that's not really who I am 

What follows is the "Powerpoint" version of "a 
little about me"... 



PaulDotCom Security Weekly 

http://www.pauldotcom.coin 
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• 2005 - Present 
•~ 200 episodes 
•Awards, blah 
•Thursdays 7PM 
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Hack Naked 
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Why Hack 
Naked? 
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Computer Destruction 
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Hail Nessus!" 



My day job: I work for Tenable Network Security 
as a "Product Evangelist" 

I use Tenable products and write blogs, publish 
podcasts, teach courses, and produce videos 



httD://bloa.tenablesecuritv.com 
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Recently we released an 



Looking 



i Phone app 



■H. AT&T 3G 8:22 AM 




Did you mean 




">t 



iTunes Store Terms and Conditions... 



Find 
Jesus? 
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Taking Over The World 



Many have tried 

No one truly successful 

What are the three things you need 
to take over the world? 

- Yes, I've spent time thinking about this 

All geeks like deal with 
"specifications" and "Requirements" 
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Requirements For World 

Domination 



1. Money - You need to buy stuff, like 
armies, countries, pay people off, 

V-* L< v^ ■ ■ ■ 

2. Power - You need the ability to use 
those resources to influence & control 
people 

3. Stealth - If everyone knows about 
your plan, it is doomed from the 
beginning 




-. 
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Using Embedded Systems To 

Make Money 



Video games - Most are involved in commerce 
and network connected 

Entertainment - Apple TV/iTV, Roku, all link 
back to your credit card somehow 

Wireless routers - Route your traffic when 
doing online banking, Paypal, Ebay, etc... 

Printers/ Fax - How many times have you 
printed sensitive information? 




Enjoy your media on your big screen TV 
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Using Embedded Systems To 

Gain Power 



Network traffic (e.g. information) flows through them 
Information = Power 

- The ability to manipulate information is powerful 
Multiple computers can be controlled at once 
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Using Embedded Systems To 

Gain Power 



Embedded systems are an integral to 
controlling water, electricity, and sewage 
treatment 

See research from Josh Wright ( http:// 
www.willhackforsushi.coirO and Travis 
Goodspeed ( http:// 



LiEia EB EBB H *RCT I B BE H JBlBaB 07 J] 



"Advanced Meterina Infrastructure Attack 



Methodoloqy" from Inguardians 





1 





SecurUv Wnkl* 



auldotcom. com 



August 2010 



Benefits To Targeting 
Embedded Systems - Stealth 



No one pays attention to them until they are 
broken 

Security is left out to save resources, make it 
easy, and money (as is logging) 

■ Vendors are focused on profit, which also never 
equals security 

■ Competition has driven vendors to cut costs to 
make products cheaper I 

Potentially no interactive user (mouse/ I 
keyboard) I 
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Benefits Of Targeting 
Embedded Systems - Stealth 



• Embedded systems contain vulnerabilities that 
go unnoticed because everyone looking for 
them does not have every device that was ever 
made 

• Thats not to say you can't get them or scan 
the Internet to find them 

• "Can you send me a free router in exchange for 
some security testing?" 
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They Are Everywhere 



SSID Stats (top loco) 


SSID 


Total Percent 


<no ssid> 


2032613 


1.122% 


linksys 


1925156 


7.314*5 


NETGEAR 


590105 


2.242% 


default 


571273 


2.170% 


Belkin54g 


255678 0.971% 


no_ssid 


215143 


0.817% 


Wireless 


214047 


0.813% 


hpsetup 


190005 


0.721% 


DUNK 


145280 0.55196 


WLAN 


110940 J 0.42 1% 


home 


93809 


0.356% 


ACTIONTEC 


86900 


0.330% 


<hidden ssid> 


72714 


0.276% 


Free Public WiFi 


68135 


0.258% 


srnc 


54086 0.205% 


BTOpenzone 


44359 0.170% 



JL 



Manufacturer Stats 



Manufacturer 

Linksys 



D-Link 



Cisco 



Dell 



Netgear 



Belkin 



2wire 



Symbol 



Apple Computer 



Alpha Networks 
SMC 



Lucent 



Trend 



Intel 



As key 



Orinoco 



Buffalo 



Avaya 



Total 

2785856 



Percent 

10.534% 



1345793 



1198187 



902170 



828954 
468182 



5.113% 



4.552% 



3.427% 



3.149% 



454750 



315140 



235942 



208211 



202054 
201312 

190876 



1.778% 
T727% 

1.197% 
0.896% 
0.791% 



0.767% 
0.764% 



174874 



169671 



165133 



0.725% 



0.664% 



145722 



0.644% 
0.627% 

0.553% 



145717 



0.553% 
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In Places Like Boston 
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And They Are Vulnerable. . . 



Researchers scanning the internet for vulnerable embedded 
devices have found nearly 2 1,000 routers, webcams and VoIP 

products open to remote attack. Their administrative 

interfaces are viewable from anywhere on the internet and 

their owners have failed to change the manufacturer's 

default password. 

httb:/ lwww.wired.com/threatlevel/2009/ I O/vulnerable- 



m 

devices /#ixzzOfo Wvs Vr 
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The researchers have provided 
ISPs with their findings in the 
hope that they will do something 
to protect vulnerable customers.' 



And No One Wants To Be 
Responsible For Them 



Chen said he contacted Time Warner's security department four 

weeks ago and was told that the company was aware of the 
security vulnerability but "cannot do anything about it," 



Time Warner's Dudley says the SMC80I4 
modem /routers are just a small portion of the 
14 million devices its customers are using. 



httD://www.wi red.com/threatlevel/2009/ 1 0/time-warner-cable/ 
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What if "Bob" Scanned the 




Use Google, find most popular ISPs that provide cable 
modem routers to users (or other interesting devices) 

Use ARIN to discover the IP address ranges assigned to 
those ISPs 

Use N map to discover all devices that have port 80 open 
and identify the service/banner 

Manually poke through results and see what you find 

- Or automate something to find vulnerabilities, exploit them, 
and upload custom configurations and/or firmware 
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Example Vulnerabilities We 

Could Look For 



Wireless Routers - TONS of FAIL on the Internet 

- Default, weak, or missing passwords are COMMON 

- Linksys HNAP - Information leakage and lame denial of service 
with no mitigation 

Printers - JetDirect authentication weaknesses, 
HP Multifunctions, Lanier printer information 
disclosure 

Roku Player - Entertainment device 
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Shodan is Handy For 
Exploring The Inernet 



A known vulnerability or poor 

implementation in "Huawei" 

routers helps take over countries 



CX SHODAN 

\^ Computer Search Engine 




*>■■ Top countries matching your sear 




Venezuela. bollVaTlall KUUUWIC"PT 



China 
United States 




201.244.139.14 



2010 



H1TP/1J0 4UI Unauthrtriztd 
Server: m icro_httpd 
Cj*:hL'-Cinitnjl: no-cache 



A whois lookup returns due: s^oi jui^joo i3:24:.wgmt 

COmprehenSiVe reSUltS WWW-Authentinrte: BuRicr:!iliti^"HuamiS[iimlAXM]^H(r 

Content-Type: text-'hlml 
Cunnectum: cLme 



Scanning the Internet is 

Time Consuming 



• Scanning the Internet is fun (so Bob tells me) 

• It takes a long time, even when limiting to 
one port 

# nmap --version-light --open --min-hostgroup 1024 -T4 -n 
-PN -oG results. gnmap -sV -p 80 -iL isp. targetips 

524288 IP addresses (32620 hosts up) scanned in 9769.46 seconds (2.7 hours) 
2272512 IP addresses (2272512 hosts up) scanned in 135156.66 seconds (37.5 Hours) 
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Finding Devices Without 
Scanning The Internet 



NTP could be used to identify devices 



ri]RMililiM#ItfsiiiTsUlAViitsU[aiii][tiaMtItl<tt[t]iiy«l 



network-time-Drotocol-ntD-fun.html 



Wai 



DNS zone transfers from certain places reveal 
interesting results 

Brute-forcing DNS sub-domains can reveal 
hosts too 



W^iaiiiro^^^B^^^^^^riM^ri^B^ffilMM 



iD-cameras-Dt-6i 
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NTP: All your ntp are point 

to us 



Netgear shipped thousands of routers in 2003 
and pointed them to ntpl.cs.wisc.edu 



gsTiiRw rasigaiin yj 



Issued firmware fix, but who does that? 

Routers still point to it, and thanks to HD Moore 
we can query it easily with metasploit 

Gives us a list of Netgear routers that Bob would 
attack 
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Metasploit NTP Module 



msf > use auxiliary/scanner/ntp/ntp monlist 

msf auxiliary(ntp_monlist) > set RHOSTS ntpl.cs.wisc.edu 

RHOSTS => ntpl.cs.wisc.edu 
msf auxiliary(ntp_monlist) > run 

[*] Sending probes to 1 28. 1 05.39. 1 I -> 1 28. 1 05.39. 1 I (I hosts) 
[*] 1 28. 1 05.39. 1 1 : 1 23 205.237. 1 47. 1 1 :23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 86.29.3 1 . 1 76:23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 209. 1 92. 1 1 7. 1 7:23457 ( 1 28. 1 05.39. 1 I ) 
[*] 1 28. 1 05.39. 1 1 : 1 23 70.54.203. 1 93:60 1 28 ( 1 28. 1 05.39. 1 I ) 
[*] 128.105.39.11:123 222.254.78.74:10001 (128.105.39.11) 



Lots of DSL/Cable 
Providers on the list 

What are chances 

these users have 

not updated 

firmware? 



. lv. cox.net. 

7 . wi . res . rr . com 



71.161.67.98 domain name pointer adsl-67-161-71.shv.bellsouth.net. 
76.72.108.68 domain name pointer ip68-108-72-76.lv.lv.cox.net. 
117.131.29.65 domain name pointer CPE-65-29-131-117.wi.res.rr.com 
45.21.110.76 domain name pointer c-76-110-21-45.hsdl.fl.comcast.net 
61.195.100.98 domain name pointer rrcs-98-100-195-61. central .biz . rr . com. 
164.133.254.76 domain name pointer ads 1-7 6-2 54-133-1 64 . dsl . skt2ca. sbcglobal.net. 
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DNS Zone Transfer - MUCH 



# time host -la ourlinksys.com 66.161.11.121 > 
ourlinksys . com. out 



real 0m2.564s 



user 0m0.456s 
sys 0m0.068s 

# wc -1 ourlinksys .com. out 120815 ourlinksys .com. out 



This no longer works with the above domain since I accidentally published 

the information without sanitizing. 



Check out Metasploit's "gather/dns_enum" module written by Carlos Perez 
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D-Lin 




SYSLOG 



EMAIL SETTINGS 



SYSTEM 



FIRMWARE 



DYNAMIC DNS 



SYSTEM CHECK 



SCHEDULES 



ADVANCED 



TOOLS 



DYNAMIC DNS 

The DDNS feature allows you to host a server (Web^ FTP, Game Server, etc..) using a domain 
name that you have purchased [www.whatever70urnameis.com) with your dynamically assign* 
IP address. Most broadband Internet Service Providers assign dynamic [changing) IP addresses] 
Using a DDNS seivice provider, your friends can enter your host name to connect to your game 
server no matter what your IP address is. 



Sign up for D-Link's Free DDNS service at www. DLi n kDDNS .co m . 
( .5 jve Settings j f Don't 5jve Settings j 



DYNAMIC DNS 




Enable Dynamic DNS: 

Server Add re 

/ Select Dynamic DNS Server 
www.DLinkDDNS.com 
www.DynDN5.com (Custom) 
www.DyriDN5.com (Free) 



TtiLuvuuiiJ ur 
Verify Password or Kev 
Timeout 




(e.g.: me. mydomain.net) 



576 
Status: Disconnect 



(hours) 
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Now that you've found 

them. . 



HUAW 



£3 SnwlA\MT880 
;■■{*] AT^I Setting 
BQ Other Setting 
{?] LAN Cnntie 



{*] PjV";VT-":"J"] 

(?) NAT 

{*] ADSL Mode 
{*] IF Route 
E\€^i Advanced Function 
■(*] HP 
-j^l Security 
r-jSl Time Zone 
j-jSl Remote Managemenl 
■{?] LPnF 
B-f^J Maintenance 

j$| User Management 
{*] DHCP Table 
j?| Diagnostic 
|S] Statistics 
■{*] Restart 
ffr] Firmware Upgrade 
■■{*] Logout 



DHCP Mode 



Use this page to configure DHCP. 



Scanning the entire ISP 

reveals thousands of 

devices with weak security 





DHCP 


DHCP 


1 Server ' i] 


Client IP Pool Starting Address 


192.168.1.2 


Size of Client IP Pool 


32 


Primary DNS Server 






Secondary DNS Server 




Remote DHCP Server 


N/A 




DHCP Lease Time 


3 Days -ours j Min 



C Apply 3 C Reset 3 



Copyright © 2005 All Rights Reserved. 
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This Required NO PASSWORD 



eoo 



Airties RT-111 



* 



+ Ohttp:// 



l/cgi-bin/webcm 



(^ 




*% 



win Isfi networks 



AirTies RT-111 ADSL2+ A Portlu Modem 



\1 






ANASAYFA 

ADSL 

YEREL AG 

FIREWALL 

NAT 

ROUTING 

YONETtM 

DDNS 

ARA^LAR 

RAP OR 



ISP in Turkey 
I told " 
be nice, I 



Ho§ Geld 



Bir AirTies urununu tercih ettiginiz ign AirTies ailesi olarak te^ekkur ederiz. 

Modennin butun ozelliklerini ogrenmek ve en verirmli sekilde kullanabilnnek icin kullanma kilavuzunu dikkatle 

okumamzidneririz. 
Herhangi bir sorunla kar^ila^tiginizda AirTies Qagn Merkezi Hattina 0212-4440239 nunnarali telefondan 

ula^abilirsiniz. 
Modeminizin cali^na durunfiu ile ilgili bilgiler a^agida sunulmu^tur. 



Bob 



"to 
swear! 



Internet Bag la nti si: 


Baglanti var 


ADSL Baglantisi: 


Baglanti var 


ADSL Hizi: 


512 /1024 kbps 


Internet IP Ad resi: 


^^^^^^m 


ADSLMACAdresi 


00:1C:A8:4Q:70:C9 


Ethernet: 


Baglanti var 


DHCP Sunucu: 


Etkin 


Firmware Surumu: 


1.0.13 


Seri No: 


AT00 3080 10072 90 


Sistermin Apik Kalrma Suresi: 


188 Saat 1 Dakika 


Sistem Saati: 


17 5ubat2010 05:58:28 
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The Password Is Already 



yXEL 



P-661HW-D1 

Welcome to your router Configuration Interface 
Enter your password and press enter or click "Login" 

^ Password: ■■■■ 



Login 



/ \ 

^Cancel j 
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This Gets Scary 



A certain ISP based in Turkey left default or 
blank passwords on seemingly every router 

This helps in our plot for world domination: 

1. Target geographic regions, exploit vulnerabilities exposed by 
that particular ISP+Cable Modem combo 

2. Change DNS servers and control user's "Internets" 

3. Change passwords and lock out user and ISP (not too 
stealthy) 

4. More stealthy: Upload new firmware to provide new 
functionality (like password logging, SSL MiTM, etc..) 
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EPIC WIN! 



r\ rs 



Linksys Setup Wizard 



LlNKSYS by C 



ISCO 




Create a new Device Password 

Your Wireless Bridge cones with a default password. You must create a new, unique 
password for your Wireless Bridge. This password will be used to access your device's 
advanced settings. 

Enter a new password below and click Next. 



Password: admin 



i. 

(^ Learn mora about device pa&&word& 

The new password must be different from the default password, which Is n admin n . 

WET610N setup program 

forces you to change the 

default password of "admin" 

to something different! 



( < Back i i, " Next > ) 



EPIC WMJ FAIL! 



e^^ 



Linksys Setup Wizard 



LlNKSYS'by Cisco 




Set Up Wireless 



Below are your settings for your Wireless Bridge. Linksys highly recommends that you 
print your settings or write them down. 



Device Password: adrninl 

Network Name (SSID): pauldotcon-bridge 




5? Save these settings in a text file on my desktop. 



Don't let them save it in a 
clear text file! Noooooooo! 



{ Next > ) 



2010 



Can we at least get a 
USERNAME with a password 



oo 



64 



14 



+ ^http://64| 



L4/ 



£jr Loading. 



[VI 



invent 



Home 



Device Info 



Other Links 

Help 
Support 
HP Home 



Status; 




Netw 



[ 




To vie w this pa ge, you must log in to this area 
on ■.■ | |l-l.=-' 

HPJetdirect Networking (password only, no 
username required) 

Your password will be sent unencrypted. 

Name: 



zi 



Password: 
J Remember this password in my keychain 

(^ Cancel ) ( Log In *) 




System Contact: 
System Location: 



Paper jam 



WQj Google 




HP JetDirect: J6035B 

Firmware Version: M.24.06 
IP Address: 6 | |14 

H ard ware Ad d res s : Q00 1 E && 1 3&35 
Admin Password: *Set> 



( Refresh^ 
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Multifunction Devices Do 

EVERYTHING 



Print, scan, fax, copy, email, wash my car, write 
my TPS reports, pick up the dry cleaning, bring 
me beer... 

Most devices can be accessed without 
authentication: 

- I tested this internally on a few networks 

- "Bob" tested this against millions of hosts on the Internet 

Zscaler made a post as well: 

- httD://research.zscaler.com/2010/08/corDorate-esDionaae-for- 



dummies-hD.html 
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Scan 

^■* , ) - (~C~)* C (H) *J tJ fi ^ h[lp:,f/67.162.?2.74/webSLan.hTm 



Scan 



- T ^ C 7 ! 7 ^ 



r\ 



EH HP OfficeJet 6500 E709a 



HPD1E599 S7.162J2.74 

Information 



Settings 



□ Ovfifview 

Device Information 

Network InrormaBcui 
J Status 

Usage Report 

Ljog 
Applications 

Webscan 
EW& Settings 

Language 

Refresh Rate 




Networking 



Webscan 



S:atus. r Ready Thursday. 20 lO-QS-CS Si :4fl:flT 



Ord*r SuppliH 



VVebscsn lets you scan photos and documents from your device to your computer using a Web 
browser, even if you chose not to install the device software on your computer. 

To use Webscan, oad your original print side down in the right front corner oF the glass, and 
then close the lid. After the original is loaded, select the image type end document size, and 
then click 'Preview" or ^Scan", (Clicking "Preview" in tiates a scan and displays a preview of the 
original in the EW5. However, tic image is not saved on ttie computer until you clicfc "Scan".) 
To reset the preview window, click "ReseT, 

Note. You can only scan si ngle-jiage documents From the scanner glass wnen using Webscan. 

Note: Many Web browsers have settings that allow you to prevent pop-up messages from 
appearing while you are visiting websites. However, ttiese setting can a &o orevent Webscan 
from functioning properly. To use Webscan, make sure the browser is set to allow pop-up 
messages to be displayed. For Information about changing these settings, see the onscreen 
Hfilp nrdnnumpntatim 'cir yn*.r Wpb brnwspr. 



Image Type 



@ Color Picture 
O Color Drawing 
O B/W Picture 
OTexl 



_».. 



r>w-Tm>a»^ 



Documents^* 



r 



Letter 



© Find; tQ~ 



Zl Match case 



Done 



-♦" lei Disabled 



A 
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Bikram Yoga Burr judge 
Release Farm 





■> 




Name; 




PhoDeMwnber: 


E-mail: 






Address: 




- 


City: 






State: 




Zip Code: 


SgjgMZF 


i 1 * 


Date of Birth: 


How did you hear about us? 


V - 



Any medical issues we stolid la»w about? 



As a condition of my class participation at Bikram Yoga Bibt RidgM agree to rae following: 
(Please initial in lire boxes) 

O IhsrcbeenexammedbyaJkreiisedp^^ 
Ibund by sim& physician to 
exercises which 1 learn and peribon during my enrollment with you. 

I will faithfully follow all instructions given 0770a and your mstructas as to when, 
wfaeie, and how to perform and not to perform Yoga exercises; and befeg imdeistood t^ 
any deviation by me from such instruction shaU be at my own risk. 

□ I will not hold you, your partners* ^ employ ees fesjxxi^re fc any h 

me causes whole 01 in part fey my feflare to fUttHlf fAHrfeiatav&Hafjmni 
yoar instructors or by any physical impairxneiitofmirteixrtMIydisckised to you ^ 
writing. 

1 I 1 understand and acknowledge that I am to Teceive in Yoga theory and exerrcse only and I 

will not bold yoo, your partners, irttructors or employees to any higher standard of case 
applicable to school of Yoga theory and exercise. 
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Microsoft PowcrPoinc - The Demonization of Israel 
Aug22_0B-03-20!0_ppt [Compatibility Mode] 


Completed 
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Microsoft PowerPoint - The Demonization of Israel Aug22 
08-03-20 IQ.ppc [Read- Only] [Compatibility Mode] 
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Microsoft PowerPoint - The Demonizauori of Israel 
Aug22-07=27=20IO-ppt [Compatibility Mode] 


Completed 
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2010 (Dec'Og-DetflO) Donations Received-OS -02-20 10 
SortedbyAlpha RMFaIs 
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POP Poster.pdf 
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israel^trip (3) finalpdf.pdf 
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Student Brochure Combined in 07-27-20 10 .pub 


Completed 
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Someone left a printer exposed to 
the Internet and now I know. . . . 



[WITH A LITTLE HELP FROM GOOGLE] 

The person's name, where they work, which department they work in 

Their area of study (Jewish studies) 

Potentially when they are taking a trip 

What applications they run (Powerpoint, Excel, PDF reader, MS 
Publisher) 

- Not the same version of Powerpoint that created the document 

They accept donations & promote Isreal 

UPO-23 = Electronic Hourly Employee Timecard for student mentor 
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Can I have your USB stick 



Yes. 



LANIER MP C3500/LD435C 



Web Image Monitor 



Copy Card Save Data 



OK 



Cancel 



I Target Slot: SD Card 5 lot 1 



SecurUv Wnkl* 



http : //pauldotcom. com 



August 2010 



Roku 




press up 

press down |# nc 1 92. 1 68. 1 .240 8080 

press left D0C9DP009064 

press right ETHMAC 00:0d:4b:4c:29:5e 

press select WIFIMAC 00:0d:4b:4c:29:5f 

press home > 

press fwd ' ' 

press back 
press pause 

http://forums.roku.com/viewtopic.php? 
t=20 1 06&sid=f0702e3bbba722ac7f I a59307209782c 
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World Domination Propaganda 




httD://www.i-hacked.com/content/view/274/48/ 
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Even More Attacks 



HD Moore found several flaws in VxWorks, 
scanned 3.1 billion IP addresses and found 
250,000 systems exposed to the Internet 

- httD : //bloa . metasDloit.com/20 10/08/vxworks- 



vulnerabilities.html 



Craig Heffner discovered a DNS rebinding attack 
on several routers allowing attackers to gain 
control of administrative interfaces 
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Even More Attacks 



Ki-Chan Ahn and Dong-Joo Ha created malware 
for Nintendo Wii and DS systems 

- httD://aames.venturebeat.com/2010/07/31/live-demos-of- 



hackina-the-nintendo-ds-and-the-wii-to-SDread-malware/ 



Barnaby Jack remotely attacked two different 
ATMs and "made the money come out" (without 
a card+pin #) 

- httD://www.voutube.com/watch?v=awMuMSPW3bU 
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Potential Linksys 
Vulnerability 



Reported to Cisco PSIRT Feb 17, 2010 

HNAP request can crash admin web 
server on certain models with certain 
firmware versions 

Low impact vulnerability discovered by 
accident while trying to send a valid request 

The HNAP request format was taken directly 
from Cisco's own documentation 
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Curl Rules 



curl htti 



192. 168.1. 70 :80/HNAPl/ -v --basic \ 



--user admin : admin -H \ 

1 SOAPAction : "http : //purenetworks . com/HNAPl 



GetWLanRadioSecuritv" f \ 



--data @xml/GetWLanRadioSecurity . xml 



<?xml version-' 1.0" encoding="utf-8"?> 

<soap:Envelope> 

<soap:Body> 

<GetWLanRadioSecurity xmlns=" http://purenetworks.com/HNAP I / " A 

</soap:Body> 

</soap:Envelope> 
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Lame? 



• Turns out to not be reproducible (my router was a 
DD-WRT upgrade) 

• Certainly lame. However shows just how fragile 
these devices and protocols are 

• What would happen if you were to actually fuzz 
HNAP? 

• Release notes of firmware running on device say 
"Fixed HNAP issue" 

• However, there is no way to disable HNAP 
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But Seriously, What Do We 

Do About It? 



I can show you embedded systems security fail until 
you are tired of hearing about it (which was probably 15 
minutes ago or longer) 

I could go out and find more vulnerabilities and talk 
about them 

Some problems are implementation-based, nevermind a 
Oday (e.g. no HNAP disable) 

So how do we fix it? 
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Security 




FAIL 



www.securitvfail.com 



www . securi tvf ail . com 



Used to redirect to ww.grc.com (Gigidy) 

It is now a public Wiki where people can write mini- 
articles on security failures 

First major section will be dedicated to embedded 
systems 

Write-in about how embedded security has failed you 

- ODays are okay too, but not sure that will help 

Raise awareness and work to change the industry to 
implement better security on devices 
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www . securi tvf ail . com 



Some GOALS to get us started: 

We want vendors of embedded systems to: 

- FORCE the user to select the password 

- Allow users to disable protocols 

- Only enable secure management protocols by default (HUPS, 
SSH) 

We want ISPs to: 

- Block inbound port 80 on user subnets 

- Manage customer devices properly and implement security 
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Sign up for an account 



• Email me if you want an account in the mean 
time 

• Or just send me your stories anonymously 

• This is a non-profit project 

- Its sole purpose is to raise awareness and hopefully work 
with the industry to change 
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Buffalo :WBR2-G54 



Default username disclosure 



When HTTP Basic auth ^ils *or the admir web console on this device a message is 
cisplayed which reveals the administrator username to be root. 

Password Error, 



Enter the password regarding following tips* 

* Enter a user na:ne as [root J. 

* The password is upper /lower case sensitive. 



The admir console may be accessible on the WAN side o* the device and the cefault 
password is null. 
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Bel kin:F5D7633 1.00.000 



Contents ihide] 

1 Password Leakage 

2 Configuration Leakage 

3 Authentication Bypass 
4XSS 

5DoS 



Password Leakage 

In the source of mainlogin.html the password for all three types of account can be found in 
the small chunk of JavaScript within the <head> tags. 

Configuration Leakage 

Browse to <ruuter ip>/user.con1 for a full dump of the user configuration that includes 
network keys. Allowed MAC addresses, passwords, PPPoE/etc credentials &. firewall 
entries. No authentication required, 
i Connecting to the router through telnet and running dumpcfg will output the configuration of| 
the router, as above. 

Authentication Bypass 

Authentication can be bypassed by visitirg following URL: 

<router iP>/Tsmefogotit.cgi?usrUserName=pass. Exchange 'pass' with fail' to log off. 
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So what about World 

Domination? 





^ 1 


i « .-•.>" i 
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#j 1 



TAKING OVER THE 
WORLD 



n - Fundi tK it i 
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Things I wanted to cover 
but ran out of space 



The "Chuck Norris" worm, which could a version 
of the psybOt? 

Static analysis of device firmware, mounting the 
filesystems, finding vulnerabilities 

Analyzing video game systems, Tivo, and Blue- 
Ray players as they are network connected 

Wireless type worms and default Wifi settings 

Segmentation is just a band-aid 
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htt 



Don't Forget: 

www . securitvf ail . com 



Presentations: http: 
resentations.html 



•audotcom.com, 



• Radio: httD://Dauldotcom. com/radio 



■ - - ■ 

• Live Stream: httD://Dauldotcom. com/live 



• Forum: htto: //forum. oauldotcom.com/ 



A IP 



Webcasts: httD://oauldotcom.com/webcasts 



■ - - ■ 

Insider: httD://oauldotcom.com/insider 



swccunauldotcom.com 



http://pauldotcom.com 
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